feat: extract initrd-ssh module from hardware config

2026-02-21 20:45:24 +01:00
parent a2abf10e39
commit 8406979975
6 changed files with 144 additions and 72 deletions
--- a/hosts/matej-nixos/configuration.nix
+++ b/hosts/matej-nixos/configuration.nix
@@ -24,6 +24,7 @@ in
    inputs.self.nixosModules.tuigreet
    inputs.self.nixosModules.workstation
    inputs.self.nixosModules.nvidia
+    inputs.self.nixosModules.initrd-ssh
  ];

  # Modules
@@ -46,6 +47,17 @@ in

  nvidia.enable = true;

+  initrd-ssh = {
+    enable = true;
+    networkModule = "r8169";
+    ip = {
+      enable = true;
+      address = "10.222.0.247";
+      gateway = "10.222.0.1";
+      interface = "enp5s0";
+    };
+  };
+
  # Stylix theming
  stylix = {
    enable = true;
--- a/hosts/matej-nixos/hardware-configuration.nix
+++ b/hosts/matej-nixos/hardware-configuration.nix
@@ -1,6 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# autogenerated by 'nixos-generate-config'
 {
  config,
  lib,
@@ -14,45 +12,17 @@
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

+  hardware.firmware = [ pkgs.linux-firmware ];
+
  boot.initrd.availableKernelModules = [
    "nvme"
    "xhci_pci"
    "ahci"
    "usbhid"
-    "usb_storage"
-    "sd_mod"
-  ];
-  boot.initrd.kernelModules = [
-    "dm-snapshot"
-    "r8169"
-  ];
-  boot.kernelModules = [
-    "kvm-amd"
  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
-  boot.kernelParams = [
-    "ip=10.222.0.247::10.222.0.1:255.255.255.0::enp5s0:none"
-  ];
-
-  boot.initrd.network = {
-    enable = true;
-    ssh = {
-      enable = true;
-      port = 22;
-      hostKeys = [
-        "/etc/secrets/initrd/ssh_host_rsa_key"
-        "/etc/secrets/initrd/ssh_host_ed25519_key"
-      ];
-      authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
-      ];
-    };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
-
-  };

  boot.initrd.luks.devices."cryptlvm".device =
    "/dev/disk/by-uuid/af0608c0-67cd-4ae4-b12c-252fa947da40";
--- a/hosts/matej-tower/configuration.nix
+++ b/hosts/matej-tower/configuration.nix
@@ -22,6 +22,7 @@
    inputs.self.nixosModules.gnupg
    inputs.self.nixosModules.tuigreet
    inputs.self.nixosModules.workstation
+    inputs.self.nixosModules.initrd-ssh
  ];

  # Modules
@@ -38,6 +39,11 @@
  };
  sway.enable = true;

+  initrd-ssh = {
+    enable = true;
+    networkModule = "r8169";
+  };
+
  # Stylix theming
  stylix = {
    enable = true;
--- a/hosts/matej-tower/hardware-configuration.nix
+++ b/hosts/matej-tower/hardware-configuration.nix
@@ -1,6 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
+# autogenerated by 'nixos-generate-config'
 {
  config,
  lib,
@@ -20,13 +18,9 @@
    "nvme"
    "xhci_pci"
    "ahci"
-    "usb_storage"
-    "sd_mod"
-  ];
-  boot.initrd.kernelModules = [
-    "dm-snapshot"
-    "r8169"
+    "usbhid"
  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

@@ -51,34 +45,6 @@
    { device = "/dev/disk/by-uuid/e0952ef2-1a9a-4022-bbcf-b2f016384258"; }
  ];

-  boot.initrd.network = {
-    enable = true;
-    ssh = {
-      enable = true;
-      port = 22;
-      hostKeys = [
-        "/etc/secrets/initrd/ssh_host_rsa_key"
-        "/etc/secrets/initrd/ssh_host_ed25519_key"
-      ];
-      authorizedKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
-      ];
-    };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
-
-  };
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true;
-
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/nixos/initrd-ssh.nix
+++ b/modules/nixos/initrd-ssh.nix
@@ -0,0 +1,94 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  # TODO:(@janezicmatej) restructure keys import
+  keys = import ../../users/matej/keys.nix;
+
+  cfg = config.initrd-ssh;
+
+  # Generate keys on new machines: ./scripts/initrd-ssh-keygen.sh
+  keyDir = "/etc/secrets/initrd";
+
+  mkIpString =
+    {
+      address,
+      gateway,
+      netmask,
+      interface,
+      ...
+    }:
+    "${address}::${gateway}:${netmask}::${interface}:none";
+in
+{
+  options = {
+    initrd-ssh = {
+      enable = lib.mkEnableOption "SSH in initrd for remote LUKS unlock";
+
+      ip = {
+        enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
+
+        address = lib.mkOption {
+          type = lib.types.str;
+          description = "Static IP address";
+          example = "10.222.0.247";
+        };
+
+        gateway = lib.mkOption {
+          type = lib.types.str;
+          description = "Gateway address";
+          example = "10.222.0.1";
+        };
+
+        netmask = lib.mkOption {
+          type = lib.types.str;
+          default = "255.255.255.0";
+          description = "Network mask";
+        };
+
+        interface = lib.mkOption {
+          type = lib.types.str;
+          description = "Network interface";
+          example = "enp5s0";
+        };
+      };
+
+      authorizedKeys = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = keys.sshAuthorizedKeys;
+        description = "SSH public keys authorized for initrd unlock";
+      };
+
+      networkModule = lib.mkOption {
+        type = lib.types.str;
+        description = "Kernel module for network interface (e.g., r8169, e1000e)";
+        example = "r8169";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.initrd.kernelModules = [ cfg.networkModule ];
+    boot.kernelParams = lib.mkIf cfg.ip.enable [
+      "ip=${mkIpString cfg.ip}"
+    ];
+
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        hostKeys = [
+          "${keyDir}/ssh_host_rsa_key"
+          "${keyDir}/ssh_host_ed25519_key"
+        ];
+        authorizedKeys = cfg.authorizedKeys;
+      };
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
+  };
+}
--- a/scripts/initrd-ssh-keygen.sh
+++ b/scripts/initrd-ssh-keygen.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+KEY_DIR="/etc/secrets/initrd"
+
+echo "Generating initrd SSH host keys in $KEY_DIR"
+
+sudo mkdir -p "$KEY_DIR"
+
+if [[ ! -f "$KEY_DIR/ssh_host_rsa_key" ]]; then
+  sudo ssh-keygen -t rsa -N "" -f "$KEY_DIR/ssh_host_rsa_key"
+  echo "Generated: $KEY_DIR/ssh_host_rsa_key"
+else
+  echo "Exists: $KEY_DIR/ssh_host_rsa_key"
+fi
+
+if [[ ! -f "$KEY_DIR/ssh_host_ed25519_key" ]]; then
+  sudo ssh-keygen -t ed25519 -N "" -f "$KEY_DIR/ssh_host_ed25519_key"
+  echo "Generated: $KEY_DIR/ssh_host_ed25519_key"
+else
+  echo "Exists: $KEY_DIR/ssh_host_ed25519_key"
+fi
+
+echo "Done. Now run nixos-rebuild."